There is a serious problem with biometrics, and maybe this problem is not voiced sufficiently loud, since we have the same thing again and again. The problem is: biometric characteristics cannot be changed. Everybody knows that, right? The logical consequence of that is: the biometric data can be successfully used to identify a person but cannot be used to authenticate a person. Let me repeat that:

The biometric data can be used to identify but not to authenticate a person.

It works very well as a means of identifying someone and that is how we used it for so many years quite successfully (what do you think your picture in the passport is?) But in order to use it to authenticate a person, to be an authentication token, the person must be able to change it. Must be able to change the biometric data, period. There is no other way. And almost all research in biometrics rotates around this silly subject: how to change the immutable? After twenty years of this circus it should be obvious to everyone and their dog but no-o-o…

Biometric data is successfully used for identification for thousands of years precisely because it is difficult to change. And biometric data could never be used for authentication because it is so hard to change. It is that simple and still we have hundreds of people around the globe deny the obvious.

Here is a simple rule of thumb: if a “security specialist” talks about providing authentication based on biometric data – run for your life!